Despite the arrests of three of its members last year, a cybercrime group by the name of Fin7 continues to target businesses with its highly-effective malware campaign.

Researchers with cyber threat intelligence company Flashpoint have discovered a new attack panel that seemingly points back to the group. The panel’s code references Combi Security, a company previously used as a legitimate front by the cybercriminals behind Fin7.

The panel, named Astra by the researchers, acts as a script-management system, which sends malicious scripts to computers compromised by the group.

According to Flashpoint, the group used highly-targeted spear phishing emails to trick victims into opening malicious attachments. This would infect the victim’s device with a previously unseen strain of malware called SQLRat, which was used to install files and executive malicious scripts on the victim’s system.

The researchers also found a second new malware sample, named DNSbot, which allowed data to be pushed to and from the compromised system.

Despite the arrests of three Ukrainian citizens, suspected of being high-ranking members of the prolific hacking group, in January last year, Flashpoint discovered activity from the campaign as recent as July 2018, showing that the Fin7 group has continued to operate.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

In August, US attorney Annette Hayes admitted that “we are under no illusion that we have taken this group down altogether”, but insisted that the arrests had “made a significant impact”.

However, the new discovered showed signs of more sophistication than previous Fin7 campaigns, such as the use of SQL scripts. As these scripts don’t leave behind artefacts like traditional malware would, no traces of malicious activity is left behind on the system, making the malware more difficult to detect. This seems to suggest that enough members of the Fin7 group remain that possess the know-how to continue running the operation.

 Fin7: A billion dollar operation

Fin7’s criminal activities can be traced back to 2015, when the group began targeting point-of-sale systems belonging to major US businesses. Infecting these systems with specially-designed malware, the criminal group was able to steal payment information belonging to those that had completed purchases through an infected company’s system.

According to the United States Department of Justice, the group is alleged to have stolen more than 15 million credit card numbers from over 3,600 businesses in the US alone. Businesses based in the UK, France and Australia also claim to have been targeted by the group.

The group is found to have used four malware strains to have infected systems and steal data from businesses. These are Carabanak, a remote backdoor used for accessing systems remotely and extracting data; HALFBAKED, used to establish persistence in a system; POWERSOURCE, used for accessing systems remotely, and TEXTMATE, which performs a similar function.

In the case of the three men arrested, US prosecutors claim that it took just two weeks for the group to obtain username and password combinations for almost 800 Red Robin restaurants around the US, which were used to infect the burger chain’s PoS systems.

The sensitive information obtained, as well as information from Fin7’s other breaches, were put up for sale on the dark web. According to one cybersecurity expert, the group was making at least $50m each month, having likely generated more than $1bn through their hacking campaigns.


Read more: NotPetya, WannaCry: The privatisation of nation-state capabilities threatens us all